Tech News

Yesterday, the OpenJS Foundation announced that Node Version Manager (NVM) is joining the organization as an incubating project. It is the first new project to enter the OpenJS Foundation’s incubation process since the Node.js Foundation and JSF merger. The merger happened in March this year for accelerating the development of JavaScript, combined governance structure, and more. “nvm is joining the OpenJS Foundation as an incubating project, and upon successful completion of onboarding, it will become an “At-Large” project. An “At -Large” project is one which is “stable projects with minimal needs,” the announcement reads. Node Version Manager (NVM) and its functions NVM is a tool that allows programmers to seamlessly switch between different versions of Node.js. It comes in handy when you are working on different Node.js projects or want to check your library for maximum backward compatibility. It is a POSIX-compliant bash script and supports multiple types of shells including Sh, Zsh, Dash, Ksh, except Fish. NVM also makes installing node a very easy process by handling the compilation for systems that don’t have prebuilt binaries available. You can install multiple versions of node in a single system, each with its own node_modules directory for global package installs. Since NVM stores globally installed modules inside the user directory, it removes the need for sudo when used with npm. NVM is an important part of the Node.js and JavaScript ecosystem. Joining the OpenJS Foundation will help in its further development, stability, and governance. “By joining the OpenJS Foundation, there are multiple organizational and infrastructure areas that will be better supported, helping both current users and future users including ensuring no single point of failure for the nvm.sh domain, GitHub repo, and more,” OpenJS Foundation wrote in the announcement. Check out the official announcement by the OpenJS Foundation to know more in detail. Node.js and JS Foundation announce intent to merge; developers have mixed feelings 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft] Electron 5.0 ships with new versions of Chromium, V8, and Node.js Introducing Node.js 12 with V8 JavaScript engine, improved worker threads, and much more

Last week, a potentially serious and unpatched security issue was revealed in the Kubernetes API server GitHub repository by StackRox. The security lapse was due to the parsing of a  Kubernetes API server deployment called YAML (Yet Another Markup Language) which is used for specifying configuration-type information. This security issue makes the cluster’s Kubernetes API service vulnerable to an attack called “billion laughs”. The billion laughs attack is a type of denial-of-service (DoS) attack. The vulnerability has got a CVE-2019-11253, however, the details of the security attack are reserved till the Kubernetes organization makes the security problem public. Kubernetes has not yet released a security patch to fix the underlying vulnerability. StackRox states, “The issue once again serves as a reminder that, like all software, Kubernetes is vulnerable to zero-day exploits. Thus, mere access to your Kubernetes API server should be treated as sensitive, regardless of how tight your application-level authorization policies (i.e., Kubernetes RBAC) are.” Read Also: CNCF-led open-source Kubernetes security audit reveals 37 flaws in Kubernetes cluster; recommendations proposed The Kubernetes cluster’s master and its resources are contacted by the Kubernetes API service which is backed by the Kubernetes apiserver. The Kubernetes apiserver accepts the incoming connections, after checking their authenticity of the entity and then applies the corresponding request handlers. One of the types of payloads that is accepted by the Kubernetes API service is exclusive to the YAML manifests and is concerned with the use of “references”. These references to nodes can be used in nodes that are themselves referenced in other nodes. This nesting of references and its subsequent expansion is the reason behind the current security vulnerability in the Kubernetes API. The Kubernetes apiserver does not perform any input validation on the uploaded YAMLs, and also does not impose hard limits on the size of the expanded file. These non-responsive actions make the Kubernetes apiserver an easy target. Thus, StackRox believes that only a clear fix to the Kubernetes apiserver code can safeguard the Kubernetes GitHub repository from this “billion laughs” attack. Read Also: Kubernetes 1.16 releases with Endpoint Slices, general availability of Custom Resources, and other enhancements StackRox recommends to protect the Kubernetes API server Users should analyze the Role-based access control (RBAC) policies of the Kubernetes to ensure that only reliable entities hold privileged access to a cluster’s resources. The cluster roles must be audited regularly. Users should be cautioned to keep the privileges of entities with low or no trust as unauthenticated users. Users should also disable any anonymous access by passing the --anonymous-auth=false flag to both the API server and the Kubelets. It should be noted that any small information like the API server version or the fact that the Kubernetes API server is running on a particular host can also be a piece of valuable information to the attacker. The Kubernetes API server endpoint should not be exposed to the internet, instead, it should be made secure using network firewalls. The API server access should only be given to trustworthy (private) subnets or VPC networks. Head over to the Stackrox page for more details on the security vulnerability of Kubernetes API. 6 Tips to Prevent Social Engineering How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems GitLab 11.7 releases with multi-level child epics, API integration with Kubernetes, search filter box and more Pivotal open sources kpack, a Kubernetes-native image build service

On September 29, the House Judiciary Committee scrutinized Google’s plans for using DNS over HTTPS (DoH) this is “because of concerns that it could give the company a competitive advantage by making it harder for others to access consumer data,” The Wall Street Journal reported. The Congress is investigating Google’s move to encrypt DNS requests over claims that the switchover could stifle competition, WSJ further mentions. In a September 13 letter, the Judiciary Committee asked Google for details about “decision regarding whether to adopt or promote the adoption” of the protocol. Further, in a letter written to the Congress on September 19, Big Cable and other telecom industry groups mentioned that the DNS over HTTPS "could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues." In an email to Ars Technica, Google wrote, "Google has no plans to centralize or change people's DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate." Google laid out this DNS-over-HTTPS upgrade experiment in a blog posted on September 10. Starting with version 78, Chrome will begin experimenting with the new DoH feature. Under the experiment, Chrome will "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider," Google wrote. "If the DNS provider isn't in the list, Chrome will continue to operate as it does today." According to WSJ, “The new standard would encrypt internet traffic to improve security, which could help prevent hackers from snooping on websites, and from spoofing—faking an internet website to obtain a consumer’s credit card information or other data.” However, it could also alter the internet’s competitive landscape, cable and wireless companies said. “They fear being shut out from much of user data if browser users move wholesale to this new standard, which many internet service providers don’t currently support. Service providers also worry that Google may compel its Chrome browser users to switch to Google services that support the protocol, something Google said it has no intention of doing,” The WSJ reports. Mozilla plans a more aggressive DoH rollout for its users Mozilla is also planning a more aggressive rollout of the technology by gradually shifting all of its users to DoH—whether or not their existing DNS provider supports it. The shift will make Cloudflare the default DNS provider for many Firefox users, regardless of the DNS settings of the underlying OS. In July, Mozilla said that it “wouldn't enable DoH by default in the UK, where ISPs are planning to use DNS to implement legally mandated porn filtering,” Ars Technica reports. Mozilla sees the antitrust concerns raised about Google as “fundamentally misleading,” according to Marshall Erwin, Mozilla’s senior director of trust and safety. Service providers are raising these concerns to undermine the new standard and ensure that they have continued access to DNS data, he said. Also Read: ISPA nominated Mozilla in the “Internet Villain” category for DNS over HTTPs push, withdrew nominations and category after community backlash The adoption of DoH would limit ISPs' ability to both monitor and modify customer queries. However, for those using the ISP's own DNS servers, ISPs will be able to monitor them. “If customers switched to third-party DNS servers—either from Google or one of its various competitors—then ISPs would no longer have an easy way to tell which sites customers were accessing. ISPs could still see which IP addresses a customer had accessed, which would give them some information—this can be an effective way to detect malware infections,” according to Ars Technica. The Sept. 19 letter to lawmakers said, “Because the majority of world-wide internet traffic…runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider.” “Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries.” The ISPs urged the lawmakers to call on Google not to impose the new standard as a default standard in Chrome and Android. A few stakeholders also said that the new system could harm security by bypassing parental controls and filters that have been developed under the current, unencrypted system, the WSJ said. To know more about this news in detail, read The Wall Street Journal’s exclusive coverage. The major DNS blunder at Microsoft Azure affects Office 365, One Drive, Microsoft Teams, Xbox Live, and many more services Moscow’s blockchain-based internet voting system uses an encryption scheme that can be easily broken “Five Eyes” call for backdoor access to end-to-end encryption to tackle ‘emerging threats’ despite warnings from cybersecurity and civil rights communities

A report released by antivirus company Emisoft on October 1 sheds light on the increase in ransomware attacks on government and municipal entities. Per the report, in the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges, and universities were affected by ransomware. Out of these, 68 state, county and municipal entities have been impacted, 491 ransomware attacks were targeted on healthcare providers and there were at least 62 incidents involving school districts and other educational establishments. “There is no reason to believe that attacks will become less frequent in the near future,” said Fabian Wosar, CTO at Emsisoft. “Organizations have a very simple choice to make: prepare now or pay later. Though there is no public dataset available for an estimate, however the Emisoft report estimates the total combined cost of all 621 incidents would be $186,300,000. Winnebago County’s Chief Information Officer, Gus Gentner, recently stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover. We cannot comment on the accuracy of that statement but, if correct, it would put the total cost at more than $5 billion.” Trends identified by the report Cybercriminals are increasingly targeting software commonly used by MSPs and other third-party service providers. The average ransom demand has continued to increase in 2019. Insured entities may be more likely to pay demands which result in ransomware being more profitable than it otherwise would be. Email and attachments and Remote Desktop Protocol continue to be the attack vector of choice. The Emisoft report suggests two workarounds to reduce recovery costs. These workarounds may, in some cases, either completely eliminate the need for a ransom to be paid or enable recovery for significantly less than the amount of the ransom demand. The report also calls on improving coordination and communication channels between the private sector and law enforcement agencies. In sync with the Emisoft report last week, the US Senate passed a bill called the DHS Cyber Hunt and Incident Response Teams Act. Per this bill, the Department of Homeland Security (DHS) will maintain cyber hunt and incident response teams to help private and public entities defend against cyber-attacks such as ransomware attacks. "The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting Upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments," stated Senator Schumer in a press release. The bill previously passed the House and is expected to be signed into law by the President in the coming months. You can read the full report on Emisoft’s official blog post. New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants

Yesterday, Microsoft made a list of announcements at their annual Surface hardware event in New York. While the event included interesting announcements such as the new surface PRO 7, surface earbuds and more, the main highlights were the new dual-screen Microsoft Surface Neo and Windows 10 X. The dual-screen Surface Neo is expected to go on sale in 2020, before the holiday season. To enable the smooth working of dual devices, Microsoft has exclusively redesigned Windows 10 version to present the Windows 10 X, also known by the codename “Santorini”. In a statement to Verge, Joe Belfiore, head of Windows experiences said, “We see people using laptops. We see people using tablets. We saw an opportunity both at Microsoft and with our partners to fill in some of the gaps in those experiences and offer something new.” At the event, Microsoft said that they are announcing the new hardware and software early to help developers come up with exclusive applications ahead of the launch. It also added that Windows 10 X is not a new operating system, but just a more adaptable format of it. This means that Windows 10 X will only be available on dual-screen devices and not as a standalone copy of Windows 10 X. Read Also: A Microsoft Windows bug deactivates Windows 10 Pro licenses and downgrades to Windows 10 Home, users report The Surface Neo device has two separate 9-inch displays that can fold out to a full 13-inch workspace. It has an intricate hinge which will allow the device to switch into a variety of modes. The device also has a Bluetooth keyboard that flips, slides, and locks into place with magnets that can be stored and secured to the rear of the device. Surface Neo also has a Surface Slim Pen, which gets attached magnetically. Microsoft has maintained that the device is not completely ready and more developments can be expected by the time of its launch. Microsoft may modularize the Windows 10 core technology and use the Start menu to display that in HoloLens. Similarly, Windows 10 X can also put the taskbar or Start menu on either panel as needed. Users will also be able to use the Start menu on either panel, depending on the work they are doing on either of the two panels. Read Also: Microsoft Azure VP demonstrates Holoportation, a reconstructed transmittable 3D technology Windows 10 X could be used in a number of ways like note-taking, mobile presentation, portable all-in-one, laptop, and reading. The engineering lead on Windows 10X, Carmen Zlateff says, “We’re working to take the best of the applications that people need and use most — things like Mail, Calendar, and PowerPoint — and bring them over to dual screens in a way that creates flexible and rich experiences that are unique to this OS and devices.” He further adds, “Our goal is that the vast majority of apps in the Windows Store will work with Windows 10X.” Users are excited about the new Surface Neo and Windows 10 X announcements. https://twitter.com/RoguePlanetoid/status/1179447805036941312 https://twitter.com/BenBajarin/status/1179414618021748737 TensorFlow 2.0 released with tighter Keras integration, eager execution enabled by default, and more! How Chaos Engineering can help predict and prevent cyber-attacks preemptively An unpatched vulnerability in NSA’s Ghidra allows a remote attacker to compromise exposed systems

Yesterday, the team at Explosion announced a new version of the Natural Language Processing library, spaCy v2.2, highlighting that this version is much leaner, cleaner and even more user-friendly. spaCy v2.2 includes new model packages and features for training, evaluation, and serialization. This version also includes a lot many bug fixes, improved debugging and error handling, and greatly reduced the size of the library on disk. What’s new in spaCy v2.2 Added more languages and improvements in existing pretrained models This spaCy version introduces pretrained models for two additional languages: Norwegian and Lithuanian. The accuracy of both these languages is likely to improve in subsequent releases, as the current models make use of neither pretrained word vectors nor the spacy pretrain command. The team looks forward to adding more languages soon. The pretrained Dutch NER model now includes a new dataset making it much more useful. The new dataset provides OntoNotes 5 annotations over the LaSSy corpus. This allows the researchers to replace the semi-automatic Wikipedia NER model with one trained on gold-standard entities of 20 categories. Source: explosion.ai New CLI features for training spaCy v2.2 now includes various usability improvements to the training and data development workflow, especially for text categorization. The developers have made improvements in the error messages, updated the documentation, and made the evaluation metrics more detailed – for example, the evaluation now provides per-entity-type and per-text-category accuracy statistics by default. To make training even easier, the developers have also introduced a new debug-data command, to validate user training and development data, get useful stats, and find problems like invalid entity annotations, cyclic dependencies, low data labels and more. Reduced disk foot-print and improvements in language resource handling As spaCy has supported more languages, the disk footprint has crept steadily upwards, especially when support was added for lookup-based lemmatization tables. These tables were stored as Python files, and in some cases became quite large. The spaCy team has switched these lookup tables over to gzipped JSON and moved them out to a separate package, spacy-lookups-data, that can be installed alongside spaCy if needed. Depending on the system, your spaCy installation should now be 5-10× smaller. Also, large language resources are now powered by a consistent LookupsAPI that you can also take advantage of when writing custom components. Custom components often need lookup tables that are available to the Doc, Token or Spanobjects. The natural place for this is in the shared Vocab. Now custom components can place data there too, using the new lookups API. New DocBin class to efficiently serialize Doc collections The new DocBin class makes it easy to serialize and deserialize a collection of Doc objects together and is much more efficient than calling Doc.to_bytes on each individual Doc object. You can also control what data gets saved, and you can merge pallets together for easy map/reduce-style processing. Up to 10 times faster phrase matching spaCy’s previous PhraseMatcher algorithm could easily scale to large query sets. However, it wasn't necessarily that fast when fewer queries were used – making its performance characteristics a bit unintuitive. The spaCy v2.2 replaces the PhraseMatcher with a more straight-forward trie-based algorithm. Because the search is performed over tokens instead of characters, matching is very fast – even before the implementation was optimized using Cython data structures. When a few queries are used, the new implementation is almost 20× faster – and it's still almost 5× faster when 10,000 queries are used. Benchmarks for searching over 10,000 Wikipedia articles Source: explosion.ai Few bug fixes in spaCy v2.2 Reduced package size on disk by moving and compressing large dictionaries. Updated lemma and vector information after splitting a token. This version automatically skips duplicates in Doc.retokenize. Allows customizing entity HTML template in displaCy. Ensures training doesn't crash with empty batches. To know about the other bug fixes in detail, read the release notes on GitHub Many are excited to try the new version of SpaCy. A user on Hacker News commented, “Nice! I'm excited! I've been working on a heavy NLP project with Spanish and been having some issues and so this will be nice to test out and see if it helps!” To know more about spaCy v2.2 in detail, read the official post. Dr Joshua Eckroth on performing Sentiment Analysis on social media platforms using CoreNLP Generating automated image captions using NLP and computer vision [Tutorial] Facebook open-sources PyText, a PyTorch based NLP modeling framework

Update: A day after banning HKmap.live, Apple brought it back on the iOS Store after backlash from the general public. Apple told the creators of HKMap, "Congratulations! We're pleased to let you know that your app, HKmap, has been approved for the App Store. Once your app has been released, it can take up to 24 hours before your app becomes available on the App Store." In response, creators of HKMap tweeted, "Thanks everyone, Apple finally made the right decision."  Amid the escalating tensions in Hong Kong, Apple has banned a protest safety app that helps people track locations of the police and the protestors in Hong Kong. HKmap.live is a crowdsourced map that integrates with Telegram and uses emojis to help people track and avoid areas where protesters, police, and traffic are present. It also showcases areas where there is tear gas, mass arrests of people, etc. According to a tweet, Apple told HKmap.live, “Your app contains content - or facilitates, enables, and encourages an activity - that is not legal ... Specifically, the app allowed users to evade law enforcement." Hong Kong is currently experiencing dangerous clashes between the police and pro-democracy demonstrators and the police are becoming more violent attacking not only protestors but also families, elderly people, and innocent bystanders. The sole purpose of HKmap.live is to track police activity on the streets of Hong Kong and ‘not to help people navigate to other locations’. The application is used widely by Hong Kong residents who wish to avoid inadvertently wandering into violent situations. The creators of HKmap wrote, “Apple assumes our users are lawbreakers and therefore evading law enforcement, which is clearly not the case.” They argue that other apps such as driving app Waze (which also notes locations of users) should be banned as well. This can also be Apple’s way of simply avoiding China’s anger. HKMLive wrote on Twitter, “This is getting way more feedback than I expected. To make it clear, I still believe this is more a bureaucratic f up than censorship. Everything can be used for illegal purposes on the wrong hand. Our App is for info, and we do not encourage illegal activity.” The ban has got people quite angry. Pinboard tweeted, “To deny the people of Hong Kong one of the few tools that defend them against police aggression is such a craven act that I can't even put it into words. Is Apple going to side with "law enforcement" in every dictatorship on the planet? Is coddling China worth that much to them?” The tweet further adds, “On behalf of tech people in America, I would like to apologize to the people of Hong Kong for this humiliating display by our biggest tech company. These are not the fundamental American values you have in mind when you wave our flag at your protests, and we must do better” A user wrote on Hacker News, “Really hard to believe that Apple is the "privacy-oriented company we can trust", that the company constantly touts in their advertising as a reason to buy their products mind you when at the same time, you have news like this constantly coming out.” Previous to this, Chinese state-run media agencies have also been buying advertisements and promoted tweets on Twitter and Facebook to portray Hong Kong protestors and their pro-democracy demonstrations as violent. These ads, reported by Pinboard’s Twitter account were circulated by State-run news agency Xinhua calling these protesters as those “escalating violence” and calls for “order to be restored.” In reality, Hong Kong protests have been called a completely peaceful march. Pinboard warned and criticized Twitter about these tweets and asked for its takedown. For now, HKMap.live is also available as a web app, so it can still be used. Twitter and Facebook removed accounts of Chinese state-run media agencies aimed at undermining Hong Kong protests Telegram faces massive DDoS attack; suspects link to the ongoing Hong Kong protests As Kickstarter reels in the aftermath of its alleged union-busting move, is the tech industry at a tipping point?

Yesterday, the Rust team shared that a Cargo vulnerability confuses the older versions of Cargo making them ignore the new package rename feature and download a wrong dependency. This vulnerability, tracked as CVE-2019-16760, affects Rust 1.0 through Rust 1.25. The vulnerability was first reported to the Rust team by Elichai Turkel: https://twitter.com/Elichai2/status/1178681807170101248 Details of Cargo vulnerability Rust 1.31 introduced the package configuration key for renaming dependencies in the ‘Cargo.toml’ manifest file. In Rust 1.25 and prior, Cargo ignores its usage to rename dependencies and may end up downloading a wrong dependency. It affects not only manifests that are written locally, but also those that are published to crates.io. “If you published a crate, for example, that depends on `serde1` to crates.io then users who depend on you may also be vulnerable if they use Rust 1.25.0 and prior. Rust 1.0.0 through Rust 1.25.0 is affected by this advisory because Cargo will ignore the `package` key in manifests,” the team wrote. This vulnerability does not affect Rust 1.26 through Rust 1.30 versions and will throw an error as the package key is unstable in these versions. Rust 1.31 and later are not affected because Cargo understands the package key. Mitigation steps to prevent this Cargo vulnerability The team has already audited the existing crates using the package key published to crates.io and have not detected any exploit of this vulnerability. However, they have recommended users of the affected versions to update their compiler to either 1.26 or later. The team further wrote, “We will not be issuing a patch release for Rust versions prior to 1.26.0. Users of Rust 1.19.0 to Rust 1.25.0 can instead apply the provided patches to mitigate the issue.” This news sparked a discussion on Reddit where developers discussed how this could have been avoided. A user commented, “What do we learn from this? Always throw an error if you encounter an unknown key inside a known configuration object.” Another user suggested, “It would be better to have the config contain a "minimum allowed cargo version", and if you want to use new features you have to bump this version number to at least the version which added the feature. Old versions of cargo can detect the version number and automatically refuse to compile the crate if the minimum version is newer than the cargo version.” Read the official announcement by the Rust team to know more about this vulnerability in detail. Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project Mozilla introduces Neqo, Rust implementation for QUIC, new http protocol Introducing Weld, a runtime written in Rust and LLVM for cross-library optimizations  

Telegram is now joining the blockchain league with Telegram Open Network (TON), Telegram’s blockchain network. TON will integrate blockchain payments to 365 million users of Telegram by the end of October.  Earlier this month, Telegram released half a million lines of code for TON, new documentation, and a beta. According to Decrypt, “If TON delivers on promises of high speeds and decentralization, it’d be the largest blockchain launch in history.”  Regulators raised their voice against Facebook’s Libra  Regulators had raised their voice against Facebook's cryptocurrency, Libra and Libra’s launch has been pushed since it can lead to serious security issues. While Congress has already drafted bills to ban Libra.  Maxine Waters, chairwoman of the Committee on Financial Services said in the letter to Facebook, “It appears that these products may lend themselves to an entirely new global financial system that is based out of Switzerland and intended to rival U.S. monetary policy and the dollar.” It further reads, “This raises serious privacy, trading, national security, and monetary policy concerns for not only Facebook's over 2 billion users, but also for investors, consumers, and the broader global economy.” France is blocking Libra, according to The Independent, Bruno Le Maire, Economy and Finance Minister of France, said, “I want to be absolutely clear: In these conditions, we cannot authorize the development of Libra on European soil.” Regulators need more information on TON, hence unable to judge it Now the question arises, how will TON survive considering regulators’ strict eye. While most of the regulators haven’t added any comments on TON and few others think that more information is needed on TON. A spokesperson from the German Central Bank said, “We do not possess any specific information on TON. That's why we cannot comment on this app.”  A spokesperson from the European Data Protection Supervisor, a regulatory body on privacy said, “There is not much info indeed.” He further added, “Telegram will have to apply the GDPR; no specific TON regulation is needed here. Telegram will have to fulfill all compliance obligations.” These comments from the regulators don’t give any clarity based on TON. Mitja Goroshevsky, CTO of TON Labs pointed out that the lack of interest from regulators is because the Facebook-led Libra Association is quite different than TON. According to Mitja, Libra isn’t decentralized, whereas TON is a decentralized blockchain. Few other regulators think that TON doesn’t violate any laws but might face criticism by certain authorities who protect the financial system. According to others, TON needs to have a model designed wherein it will be responsible for controlling all the validators.  In a statement to Decrypt, Pavel Prigolovko, Vice President, Strategy, TON Labs, said, “TON has to switch from a model where all the validators are controlled by TON itself during the launch, to one where the community controls the majority of the validators.” Prigolovko further added, “This transition depends on the technical availability of the large Gram holders to become validators. There are quite a few technical challenges to become a validator, like setting up a reliable infrastructure with proper processes, scripts [and] monitoring.” TON will require to fulfill KYC details concerning user data Some of the regulators are sceptical about where will the user data get stored as Telegram hasn’t provided enough details regarding the same. As wallets will be linked, it is important to have certain clarity on where the data will be stored. TON will require the KYC details and users will have to follow the KYC regulations. Mitesh Shah, CEO of blockchain analytics company Omnia Markets Inc, said that Telegram has given little information about where and how user data is stored. “There are more users here than on any other chain, and having it stored in a proper place is one of the largest concerns.”  Goroshevsky noted, that neither Telegram nor TON would not require KYC functionality. That said, users will have to adhere to the KYC regulations of individual exchanges when buying or cashing out Grams.  Though KYC details are unique for an individual but this data can be used by the terrorists as few of them use Telegram to promote their campaigns. Users can make fake accounts and misuse the platform to hide the transfer of money.  Last month, Steven Stalinsky of Middle Eastern Media Research Institute told Decrypt about concerns that TON would be exploited by terrorists, who already use Telegram to promote violent campaigns. Even if KYC was implemented, Telegram wouldn’t be able to prevent subversive groups from using fake accounts to hide the transfer of money. On the contrary, according to Goroshevsky, since TON is a decentralized blockchain, it wouldn’t collect user data and it will be transparent. Goroshevsky said, “TON is not collecting user data hence it is not going to store it. TON is a decentralized blockchain and as any such blockchain, it will be fully open and transparent. And of course, that means all transaction details will be public, like on any other public ledger.” Considering the mixed reactions coming from regulators, it would be interesting to see if TON gets approval for its launch or faces the same fate as Facebook’s Libra. To know more about this news in detail, check out Decrypt’s post. Other interesting news in Security 10 times ethical hackers spotted a software vulnerability and averted a crisis New iPhone exploit checkm8 is unpatchable and can possibly lead to permanent jailbreak on iPhones Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT  

At its annual hardware event 2019, Amazon unveiled an avalanche of Alexa-powered products. It introduced a high-end Echo Studio, the new Echo Show 8, an Echo Dot with a clock, and a four-in-one Amazon Smart Oven. The company is also trying to enter the smart wearables market with its Echo Frames eyewear and Echo Loops. It also debuted Echo Buds earbuds, a competition to Apple’s Airpods. Echo Frames and Echo Loops are part of Amazon’s Day 1 Editions program. It is a program for experimental products that are offered with limited availability to see customers’ response and then mass-produced if the response is positive. Alexa becomes more "emotive and expressive" Amazon announced that Alexa now has a multilingual mode. This new mode will be initially available in three countries: the US, Canada, and India. Other than English, Alexa will speak Spanish in the US, French in Canada, and Hindi in India. Customers will be able to interact with Alexa-powered devices in both languages simultaneously. In addition to becoming a polyglot, Alexa will also be more “emotive and expressive” with the help of a new Neural Text to Speech model. Additionally, customers will be able to switch Alexa’s voice to a celebrity voice. It will use the new text-to-speech technology to mimic celebrity voices, with Samuel L. Jackson’ being the first. Amazon will roll out additional celebrity voices next year priced at $0.99 each. Amazon’s steps towards better privacy Amazon’s Alexa has raised several privacy concerns among users. In July, Amazon admitted that a few voice recordings made by Alexa are never deleted from the company’s server, even when the user manually deletes them. Another news in April this year revealed that when you speak to an Echo smart speaker, not only does Alexa but potentially Amazon employees also listen to your requests. In May, two lawsuits were filed in Seattle stating that Amazon is recording voiceprints of children using its Alexa devices without their consent. The company says it is taking a few steps to address these privacy concerns. Amazon’s hardware and services chief Dave Limp announced, “We’re investing in privacy across the board. Privacy cannot be an afterthought when it comes to the devices and services we offer our customers. It has to be foundational and built-in from the beginning for every piece of hardware, software, and service that we create.” Amazon has introduced a new set of features that will give users more control over their stored voice recordings on their Alexa device. Users will be able to hear everything Alexa recorded with the help of voice command and delete them on a rolling three-month or eight-month basis. Amazon’s Ring doorbells have faced criticism from privacy and civil rights advocates because of its ties with police departments. “While more surveillance footage in neighborhoods could help police investigate crimes, the sheer number of cameras run by Amazon's Ring business raises questions about privacy involving both law enforcement and tech giants,” a story by CNET revealed. To somewhat address this concern Ring video doorbells now have a new feature called Home Mode that stops audio and video recording when the owner is home. Coming to the privacy of kids, Amazon announced that parents can use a new setting called Alexa Communications for Kids. This will help them determine the contacts their kids are allowed to interact with when using Echo Dot Kids Edition. The Echo family Echo with improved audio quality Amazon has revived its baseline Echo speaker with improved audio quality. The new audio hardware includes neodymium drivers, more volume, and a stronger mid-range. Users now also have new colorful fabric covers (Twilight Blue, Charcoal, Heather Grey, and Sandstone) to choose from. It is priced at $99, the same as its predecessor. Echo Studio, Amazon's first high-end smart speaker with immersive 3D audio support Source: Amazon Amazon’s big reveal of its first high-end smart speaker, Echo Studio was probably one of the key highlights of the event. It is also the first smart speaker to feature 3D audio with both Dolby Atmos and Sony’s 360 Reality Audio codecs on board. It was built with Amazon’s new Music HD streaming service to provide Echo customers with a way to listen to lossless music. Echo Studio achieves its immersive 3D soundscape with the help of five drivers. These include three 2-inch midrange speakers, a 1-inch tweeter, and a 5.25-inch woofer. Out of the three mid-range speakers, two emit the sound from the sides, while the third emits from the front of the cylinder. These are strategically placed so that Echo Studio is able to “position” sound in a 3D space. Echo Dot with Clock Source: Amazon Amazon’s popular entry-level smart speaker, Echo Dot now has a digital alarm built into the front, next to the speaker grille. Its LED display also allows the Dot to show the weather or a countdown timer. This new version will not replace the current Dot, but will instead exist alongside it in the company’s current Echo lineup. Echo Show 8, a smaller 8-inch version of Echo Show 10 Source: Amazon Back in June, Amazon introduced Echo Show 5, which packs a lot of features into a compact smart display and serves as an alarm clock alternative. There is already a 10-inch flagship model of the Echo device. And, at Wednesday’s event, it announced yet another version of the smart screen: Echo Show 8. Echo Show 8 provides audio quality similar to the 10-inch version and has a built-in privacy shutter. It also includes the new Drop-in On All feature that lets users create a large group chat with family and friends. Echo Loop and Frames This time Amazon has also ventured into smart wearables with Alexa-powered Echo Loops and Frames. The main purpose of these two smart wearables is to enable customers to use Alexa wherever they go, whenever they want. Source: Amazon Echo Loop is a smart ring made out of titanium that activates when you press a tiny discreet button. It features built-in microphones and speakers to facilitate interaction with Alexa. It allows you to shut off the microphones by double-tapping an action button. Echo Loop comes in three sizes: small, medium, large and extra-large. You can also get ring sizing kit to help you figure out which size is best for you. Coming to its battery life, Amazon is promising that it will last about a day. It has a vibrating haptic engine for notifications and connects to your phone's Alexa app via Bluetooth. Source: Amazon Echo Frames look like your typical black-framed spectacles. They are lightweight and compatible with most prescription lenses. It has built-in directional microphones for interacting with Alexa that can be turned off with the double-press of a button when not needed. It relies on Amazon’s open-ear technology to send a response from the assistant to your ears. Echo Buds with Bose noise cancellation technology Source: Amazon Amazon is challenging Apple’s AirPods and Samsung Galaxy Buds with its new Echo Buds. It provides hands-free access to Alexa and includes Bose’s Active Noise Reduction Technology. Each earbud has a pair of balanced armature driver to deliver good bass. Though its five hours of battery life isn't great, charging case brings the total runtime up to 20 hours before you need to plug in again. Echo Glow, a multicolor lamp for kids Source: Amazon Echo Glow is a multicolor lamp for kids that do not have Alexa onboard. However, to make it work you need to connect it to any of your Alexa-enabled devices and ask Alexa to change the color, adjust brightness, and create helpful routines. It can also be controlled with a tap. A couple of its interesting use cases include “rainbow timer”, wake up light alarm, and campfire mode. Echo Flex is a small Echo that plugs directly into the wall Source: Amazon Echo Flex is the affordable and versatile version of Echo Dot smart speaker. You can plug the device directly into a wall outlet to get Alexa’s smart assistant at places where the smart assistant otherwise couldn’t reach. With Echo Flex, you can manage all your compatible smart devices using voice commands. For instance, you can switch on the lamp before getting out of bed or dim the lights from the couch to watch a movie. Amazon Sidewalk, a low-power, low-bandwidth network Most wireless standards including Wi-Fi, ZigBee, and Z-Wave have low-range and are typically confined to your home. Other major wireless standards like LTE have a much larger range, but are expensive, hard to maintain, and eat up a vast amount of power. Amazon says that its Sidewalk network can solve this problem. It is a new wireless standard that casts a signal as far as a mile keeping low-power and low-bandwidth. To achieve this the company has repurposed unlicensed 900 MHz spectrum. This is the same spectrum that is used by cordless phones and walkie talkies to communicate. But unlike walkie-talkies or cordless phones, devices using Amazon Sidewalk will form a mesh network. Among the use cases of this network includes water sensors to keep the plants in your garden quenched or a mailbox device to let you know when you've got mail. The company will also be introducing a smart dog tag next year called Ring Fetch to help you track your dogs. This announcement started a discussion on Hacker News. Though some users were impressed by the Ring Fetch use case, others felt that the company has re-invented the wheel and is trying to introduce another proprietary protocol. “Maaaan, why in gods name do companies have to keep reinventing the wheel. There's so many protocols and specifications out there already that they just have to pick one and improve upon it with the goal of making it backward compatible with "older" versions of the protocol,” a user added. People discussed LoRaWan, a low power, a wide-area networking protocol for connecting battery-operated devices to the internet. A user commented, “LoRaWAN fits exactly this use-case and depending on the region, can operate on any of the ISM bands. This article is very bare on technical details, but I'm so confused. LoRa's made so much effort in this space by literally mapping out every single ISM band they can (sub-GHz) and reaching out to regulators where they couldn't find a compatible match. Amazon can't possibly think the 900 MHz device is "free" globally.” Liz O'Sullivan, an AI activist also shared her perspective on Twitter. https://twitter.com/lizjosullivan/status/1177243350283542528 Amazon also made some announcements for people who love cooking. It unveiled an Alexa-compatible kitchen countertop appliance, the Amazon Smart Oven. It is a 4-in-1 microwave that functions as a convection oven, microwave, air fryer, and food warmer. Users will also be able to leverage a new feature in Alexa called “scan-to-cook”. This will allow them to scan pre-packaged food products including the ones sold by Amazon-owned Whole Foods and Amazon Smart Oven will cook them automatically. Amazon’s partnership with NHS to make Alexa offer medical advice raises privacy concerns and public backlash CES 2019: Top announcements made so far What if buildings of the future could compute? European researchers make a proposal.  

Last week, the team behind ZFS released zfs-0.8.2, an advanced file system. This release comes with support for 2.6.32 - 5.3 Linux kernels and comes with a list of changes. What’s new in zfs-0.8.2 The issue regarding the deadlock condition for scrubbing root pools on kernels has been resolved in this release. The team has made QAT related bug fixes. Fixes have been made to the zpool subcommands error message and unsupported options. zfs-dkms .deb package warning in the prerm script has been fixed. zvol_wait script now ignores partially received zvols. New service that waits on zvol links have been created. In etc/init.d/zfs-functions.in arch warning has been removed. Comments have been updated to match code. In this release, ZFS_DEV macro is used instead of literals. Slog test setup has been made more robust. Performance has been improved with the help of dmu_tx_hold_*_by_dnode(). In this release, default zcmd allocation has been increased to 256K. Error text for EINVAL in zfs_receive_one() has been fixed. Few users on Hacker News seem to be happy about this release and the progress made by the team behind zfs, a user commented on Hacker News, “I contributed a few patches to ZFS on Linux about 8 years ago - at a time when it was still very much in its infancy and panic'd when you looked at it in the wrong way. It's incredible how far they've come. We're using ZFS on Linux on about 120 servers at work and it's rock solid. Snapshots are a lifesaver in our day-to-day ops.”  Another user commented, “Always admired ZFS since when it came out. The talks by the creators were so enlightening.” Few others expected a block-pointer rewrite and background dedupe in this release. One of them commented, “Still no block-pointer rewrite?” To know more about this news, check out the official post. Other interesting news in programming Rust 1.38 releases with pipelined compilation for better parallelism while building a multi-crate project Mypy 0.730 releases with more precise error locations, display error codes and more! GNOME Foundation’s Shotwell photo manager faces a patent infringement lawsuit from Rothschild Patent Imaging  

Major web companies are adopting HTTP/3, the latest iteration of the HTTP protocol, in their experimental as well as production systems. Last week, Cloudflare announced that its edge network now supports HTTP/3. Earlier this month, Google’s Chrome Canary added support for HTTP/3 and Mozilla Firefox will soon be shipping support in a nightly release this fall. The ‘curl’ command-line client also has support for HTTP/3. In an announcement, Cloudflare shared that customers can turn on HTTP/3 support for their domains by enabling an option in their dashboards. “We’ve been steadily inviting customers on our HTTP/3 waiting list to turn on the feature (so keep an eye out for an email from us), and in the coming weeks we’ll make the feature available to everyone,” the company added. Last year, Cloudflare announced preliminary support for QUIC and HTTP/3. Customers could also join a waiting list to try QUIC and  HTTP/3 as soon as they become available. Those customers who are on the waiting list and have received an email from Cloudflare can enable the support by flipping the switch from the "Network" tab on the Cloudflare dashboard. Cloudflare further added, “We expect to make the HTTP/3 feature available to all customers in the near future.” Cloudflare’s HTTP/3 and QUIC support is backed by quiche. It is an implementation of the QUIC transport protocol and HTTP/3 written in Rust. It provides a low-level API for processing QUIC packets and handling connection state. Why HTTP/3 is introduced HTTP 1.0 required the creation of a new TCP connection for each request/response exchange between the client and the server, which resulted in latency and scalability issues. To resolve these issues, HTTP/1.1 was introduced. It included critical performance improvements such as keep-alive connections, chunked encoding transfers, byte-range requests, additional caching mechanisms, and more. The keep-alive or persistent connections allowed clients to reuse TCP connections. A keep-alive connection eliminated the need to constantly perform the initial connection establishment step. It also reduced the slow start across multiple requests. However, there were still some limitations. Multiple requests were able to share a single TCP connection, but they still needed to be serialized on after the other. This meant that the client and server could execute only a single request/response exchange at a time for each connection. HTTP/2 tried to solve this problem by introducing the concept of HTTP streams. This allowed the transmission of multiple requests/responses over the same connection at the same time. However, the drawback here is that in case of network congestion all requests and responses will be equally affected by packet loss, even if the data that is lost only concerns a single request. HTTP/3 aims to address the problems in the previous versions of HTTP.  It uses a new transport protocol called Quick UDP Internet Connections (QUIC) instead of TCP. The QUIC transport protocol comes with features like stream multiplexing and per-stream flow control. Here’s a diagram depicting the communication between client and server using QUIC and HTTP/3: Source: Cloudflare HTTP/3 provides reliability at the stream level and congestion control across the entire connection. QUIC streams share the same QUIC connection so no additional handshakes are required. As QUIC streams are delivered independently, packet loss affecting one stream will not affect the others. QUIC also combines the typical three-way TCP handshake with TLS 1.3 handshake to provide. This provides users encryption and authentication by default and enables faster connection establishment. “In other words, even when a new QUIC connection is required for the initial request in an HTTP session, the latency incurred before data starts flowing is lower than that of TCP with TLS,” Cloudflare explains. On Hacker News, a few users discussed the differences between HTTP/1, HTTP/2, and HTTP/3. Comparing the three a user commented, “Not aware of benchmarks, but specification-wise I consider HTTP2 to be a regression...I'd rate them as follows: HTTP3 > HTTP1.1 > HTTP2 QUIC is an amazing protocol...However, the decision to make HTTP2 traffic go all through a single TCP socket is horrible and makes the protocol very brittle under even the slightest network delay or packet loss...Sure it CAN work better than HTTP1.1 under ideal network conditions, but any network degradation is severely amplified, to a point where even for traffic within a datacenter can amplify network disruption and cause an outage. HTTP3, however, is a refinement on those ideas and gets pretty much everything right afaik.” Some expressed that the creators of HTTP/3 should also focus on the “real” issues of HTTP including proper session support and getting rid of cookies. Others appreciated this step saying, “It's kind of amazing seeing positive things from monopolies and evergreen updates. These institutions can roll out things fast. It's possible in hardware too-- remember Bell Labs in its hay days?” These were some of the advantages HTTP/3 and QUIC provide over HTTP/2. Read the official announcement by Cloudflare to know more in detail. Cloudflare plans to go public; files S-1 with the SEC Cloudflare finally launches Warp and Warp Plus after a delay of more than five months Cloudflare RCA: Major outage was a lot more than “a regular expression went bad”

An unnamed iOS researcher that goes by the Twitter handle @axi0mX has released a new iOS exploit, checkm8 that affects all iOS devices running on A5 to A11 chipsets. This exploit explores vulnerabilities in Apple’s bootroom (secure boot ROM) which can give phone owners and hackers deep level access to their iOS devices. Once a hacker jailbreaks, Apple would be unable to block or patch out with a future software update. This iOS exploit can lead to a permanent, unblockable jailbreak on iPhones. Jailbreaking can allow hackers to get root access, enabling them to install software that is unavailable in the Apple App Store, run unsigned code, read and write to the root filesystem, and more. https://twitter.com/axi0mX/status/1178299323328499712 The researcher considers checkm8 possibly the biggest news in the iOS jailbreak community in years. This is because Bootrom jailbreaks are mostly permanent and cannot be patched. To fix it, you would need to apply physical modifications to device chipsets. This can only happen with callbacks or mass replacements.  It is also the first bootrom-level exploit publicly released for an iOS device since the iPhone 4, which was released almost a decade ago. axi0mX had also released another jailbreak-enabling exploit called alloc8 that was released in 2017. alloc8 exploits a powerful vulnerability in function malloc in the bootrom applicable to iPhone 3GS devices. However, checkm8 impacts devices starting with an iPhone 4S (A5 chip) through the iPhone 8 and iPhone X (A11 chip). The only exception being A12 processors that come in iPhone XS / XR and 11 / 11 Pro devices, for which Apple has patched the flaw. The full jailbreak with Cydia on latest iOS version is possible, but requires additional work. Explaining the reason behind this iOS exploit to be made public, @axi0mX said “a bootrom exploit for older devices makes iOS better for everyone. Jailbreakers and tweak developers will be able to jailbreak their phones on latest version, and they will not need to stay on older iOS versions waiting for a jailbreak. They will be safer.” The researcher adds, “I am releasing my exploit for free for the benefit of iOS jailbreak and security research community. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.” For now, the checkm8 exploit is released in beta and there is no actual jailbreak yet. You can’t simply download a tool, crack your device, and start downloading apps and modifications to iOS. Axi0mX's jailbreak is available on GitHub. The code isn't recommended for users without proper technical skills as it could easily result in bricked devices. Nonetheless, it is still an unpatchable issue and poses security risks for iOS users. Apple has not yet acknowledged the checkm8 iOS exploit. A number of people tweeted about this iOS exploit and tried it. https://twitter.com/FCE365/status/1177558724719853568 https://twitter.com/SparkZheng/status/1178492709863976960 https://twitter.com/dangoodin001/status/1177951602793046016 The past year saw a number of iOS exploits. Last month, Apple has accidentally reintroduced a bug in iOS 12.4 that was patched in iOS 12.3. A security researcher, who goes by the name Pwn20wnd on Twitter, released unc0ver v3.5.2, a jailbreaking tool that can jailbreak A7-A11 devices. In July, two members of the Google Project Zero team revealed about six “interactionless” security bugs that can affect iOS by exploiting the iMessage Client. Four of these bugs can execute malicious code on a remote iOS device, without any prior user interaction. Researchers release a study into Bug Bounty Programs and Responsible Disclosure for ethical hacking in IoT ‘Dropbox Paper’ leaks out email addresses and names on sharing document publicly DoorDash data breach leaks personal details of 4.9 million customers, workers, and merchants

This week, Koen Rouwhorst, a security engineer at Framer, reported that a feature of Dropbox Paper, a document collaboration tool, leaks out, “the full name and email address of _any_ Dropbox user whoever opened that document, which seems problematic.” https://twitter.com/koenrh/status/1176523837866946561 https://twitter.com/koenrh/status/1176794225075204097   Dropbox Support responded that their privacy considerations were built into how they designed their features. Also, according to the support team, displaying this information is required for enabling collaboration and security features for their users. Also, admins and users receive additional control over who can view a Paper doc. According to The Register, “if someone gets to know the link, because in your enthusiasm you posted it on social media, or sent to your contact and they posted it, they may click the link and visit the page. On arrival, if they are logged into Dropbox, a warning displays, though in faint type, that says -when you open a doc, your name, email, avatar photo and viewer and visit information is always visible to other people in it.” Though Dropbox differentiates between active and inactive viewers, this information will remain with Dropbox even after the user has left the page,  Anyone who has logged into the document will be able to see the names and email addresses of others. However, when a user clicks the link without being logged into Dropbox, the user will be shown to other users as a guest, and won’t be able to comment or edit on the document. Users may be logged into Dropbox by default so they might see a warning and, if they proceed, they would end up sharing their name and email address. This works while working with a team where people know each other. As per Dropbox’s permissions page, a user can create a private document that’s not inside of a folder and they should be the only person editing it. While sharing the doc with others, the user can choose who can open the doc and who can comment or edit. In case a user creates a doc within a folder then all the members of that folder can open, search for, and edit the doc. Users on HackerNews seem to be sceptical about this feature, a user commented on the thread, “Not only that, but Dropbox lets you pick any publicly visible document that's been viewed by a large number of peopl and easily spam them simply by writing @doc. I may have just pissed off a lot of people with my experiment. I realized immediately afterwards how reckless that was, but Dropbox - WTF? Why is this even allowed?” Few others are complaining about not being notified about the warning, “I just created a Paper document on my Dropbox account and then viewed it on another account. As best I can tell, Dropbox saying there is a notification is a lie. I did not get a visible notification when creating it although there may have been one buried under some links or button. Paper documents are publicly editable by default if you have the url.” Other interesting news in data Can a modified MIT ‘Hippocratic License’ to restrict misuse of open source software prompt a wave of ethical innovation in tech? ImageNet Roulette: New viral app trained using ImageNet exposes racial biases in artificial intelligent system GitLab 12.3 releases with web application firewall, keyboard shortcuts, productivity analytics, system hooks and more  

Today, DoorDash revealed to its users that their platform suffered a major data breach on May 4, 2019, affecting approximately 4.9 million consumers, dashers, and merchants who joined the platform on or before April 5, 2018. When DoorDash became aware of the attack earlier this month they recruited private security experts to investigate it. The investigation revealed that user data was accessed by an unauthorized third party, who is still unknown. The food delivering company has taken preventive actions to block further unauthorized access. Though DoorDash is uninformed of any user passwords being compromised in the breach, they have requested all their users to reset their passwords and use an exclusive password just for DoorDash. In the official blog post, DoorDash has listed the type of user data that might have got compromised in the data breach. Profile information including names, email addresses, delivery addresses, order history, phone numbers, and more. For some customers, the last four digits of their consumer payment cards. However, DoorDash maintains that customers “full credit card information such as full payment card numbers or a CVV was not accessed.” Also, DoorDash confirms that the accessed information is not enough to make any fraudulent charges on the payment card. For some Dashers and merchants, the last four digits of their bank account number. Again DoorDash confirms that the full bank account information was not accessed and the accessed information is insufficient to perform any illicit withdrawals from the bank account. Approximately 1 lakh Dashers driver’s license numbers were also compromised Read Also: DoorDash buys Square’s food delivery service Caviar for $410 million In the blog post, DoorDash says that they have now taken necessary remedial steps to avoid such security breaches by including additional protective security layers around the data, security protocols that govern access to systems and have also enrolled private expertise to identify and repel threats more accurately in the future. Currently, DoorDash is in the process of reaching out to its affected customers. DoorDash has also clarified that the customers who joined the platform after April 5, 2018, are not affected by this data breach. However, DoorDash has neither clarified the details of how the third party accessed the user’s data nor have they explained how the company came to know about the data breach. The blog post also does not throw any light on why the company took so long in detecting this security breach. Many users are indignant about DoorDash’s lack of detailing in the blog post. https://twitter.com/peterfrost/status/1177572308136976385 https://twitter.com/benrothke/status/1177339060282523648 Many people are also of the opinion that until substantial penalties are levied against these companies, data breaches will continue to occur. Many are of the opinion that companies should stop asking for personal information while confirming a customer. A user on Hacker News comments, “In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!" All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?" How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.” Head over to the DoorDash blog for more details about the data breach. StockX confirms a data breach impacting 6.8 million customers Following Capital One data breach, GitHub gets sued and AWS security questioned by a U.S. Senator Facebook fails to fend off a lawsuit over a data breach of nearly 30 million users Cloudflare finally launches Warp and Warp Plus after a delay of more than five months Tesla Software Version 10.0 adds Smart Summon, in-car karaoke, Netflix, Hulu, and Spotify streaming